Jump to content

Security Questions? In 2016?


Thomas K.

Recommended Posts

Posted

Many sites are moving away from security questions because they're found to be unreliable or unsafe. It's curious that IPS is adopting this instead of 2-factor authentication. Perhaps 2-factor is coming later, but the implementation of security questions should be raising eyebrows. I know there's an option for users to opt-out, but this puts security responsibilities on the user, and the user may be ignorant.

http://research.google.com/pubs/pub43783.html

https://security.googleblog.com/2015/05/new-research-some-tough-questions-for.html

  • Management
Posted

That's very true but we also struggle to get people on supported versions of PHP ;) ... imagine what it would take to get people to sign up for 2FA services. Of course we are looking into it but unfortunately sometimes it is difficult for us to do all the most advanced things when dealing with web hosts who do not keep their servers in 2003 let alone 2016.

Posted
16 hours ago, Simon Woods said:

I'm not sure how 2FA is superior in this way?

In pretty much every way if its Google Authenticator etc. People cant guess your Google Auth password based on things on your facebook etc and details which may not change very often where as the code generated only lasts for 30 seconds.

Posted

I don't doubt the improvement in security strength. I'm questioning how if people might be ignorant, as quoted, 2FA works better? Is there something built into 2FA that somehow combats user ignorance?

Posted
8 minutes ago, Simon Woods said:

I don't doubt the improvement in security strength. I'm questioning how if people might be ignorant, as quoted, 2FA works better? Is there something built into 2FA that somehow combats user ignorance?

No user finger is one of the worst problems but at least with 2FA you could potentially force mods/staff to use it to minimise hack risks.

Posted

Simon Woods:

Security questions are opt-out, while 2-factor is opt-in (as far as I know). You're comparing them when they shouldn't be compared.

Look at it this way: Based on current research, security questions are a poor form of security (Google doesn't even use them anymore). If a user wants to be safe, it's the user's responsibility to not use the security questions. You could very easily argue that an account is more insecure if their account has security questions enabled, and if they're ignorant and don't opt-out, they're left being more insecure than if this feature didn't exist in the first place. With 2-factor authentication, it's opt-in, so it can't be compared on the same level. It's simply an added bonus to make your account safer.

 

Charles:

That's a good point. I definitely respect it and can see why the company chose this course of action, but I don't necessarily agree that it's a good enough excuse. Perhaps you need to "pull an Apple" and forge ahead against the resistance. Social engineering is becoming more and more common; I've seen personal lives and companies severely damaged due to social engineering. For example, it's all too common to hear of AWS accounts being compromised by simply tricking Amazon. Imagine if a forum is compromised in some form or another, and suddenly unencrypted personal details (answers to security questions) are out in the wild, putting people at risk across the web with their other accounts that use security questions.

There are obviously ways for forum administrators to customize this feature and make it more secure, but at the end of the day, it puts way too much responsibility on the administrators and users, and it's a poor security measure to begin with for the reasons I listed above.

Posted

Between security questions and TFA (with self-expiring codes), I find TFA easier, and I imagine most would - really difficult sometimes to come up with security questions (good ones) that you remember the answers to, and are not easily discoverable online via social media.

TFA is easy - almost everyone has a mobile number, and sending them a code to type in is as simple as it can get, in my opinion.

Posted
48 minutes ago, Thomas K. said:

Security questions are opt-out, while 2-factor is opt-in (as far as I know). You're comparing them when they shouldn't be compared.

This is from your topic starter. You compared them.

I'm well aware that TFA is better, as I have already basically said. It becomes problematic when you start considering average visitors and members of our communities. That's complicated and is not so easily solved as pro-TFA people often make it out to be; whether we like it or not, people need to be convinced that the trade-off between convenience and security is worth making.

Posted
12 minutes ago, Simon Woods said:

This is from your topic starter. You compared them.

I'll admit that I should have been more clear.

I am comparing them in a way that simply shows one is a better security measure than the other. On the other hand, you use a comparison that seems to imply that one option does not necessarily combat user ignorance more than the other, which I don't necessarily believe is true.

Here is what I'm saying:

  • The availability of security questions puts account security at risk more than I'd ever be comfortable with. The concerns outweigh the benefits.
  • While 2FA is rarely used by people (I believe less than 8% of Google users use it), it's at least there. It's harder to compromise, and its benefits outweigh the cons. The existence of 2FA itself isn't a problem, while the existence of security questions is a problem.

I'll try not to keep on re-iterating my points from now on though. I don't want to turn into an annoying broken record.

Posted

2FA and the ability to force it selectively depending upon group membership (like all staff/moderators) is probably one of the BEST feature of a competitive script in comparison to IPS.  I know of at least one major web admin site that had a moderators/staff member account hacked because of a weak password.  Forced 2FA on staff/moderator on that site would have prevented that from happening - and it's much friendlier than security questions to me.

PHP version (when on the minimum required) and whether on shared hosting or not doesn't apparently effect that script either.

Posted

The other problem with security questions is if you are compromised all those questions could be grabbed along with the user database and users being users they will reuse them on other sites with the same email address unless ipb intends to hash the answers.

Posted
11 hours ago, ZeroHour said:

The other problem with security questions is if you are compromised all those questions could be grabbed along with the user database and users being users they will reuse them on other sites with the same email address unless ipb intends to hash the answers.

They are stored encrypted.

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...